 Welcome to my analysis for HEDTROX. Today we look into PE resources, how they are located in a PE with a parser, for instance, and how the resources, the meter information about the resources is structured. So we start with the PE file itself. If you haven't watched the previous video about the basic PE structure, please watch that before this video. I will put a link in the description below and yeah, check that out first because I assume you know what I covered there. So the actual resources or the starting point to find them is the optional header and the optional header has a so-called data directory. The data directory is simply a list of entries which point to certain data structures. They have addresses, virtual addresses, and they have the sizes of these data structures in the data directory. That's also where the resources or the resource table is located. So the parser will pass the data directory entry for the resource table and then it knows where to find the resources itself. So in our example we have two sections and I will mark the resource green. I got used to green meaning resources because that's the default color for resources and politics analyzer visualization. So that's just the way I associate it. Yeah, so our resource entry. In our case it will point to section one, resource table entry. So we point to section one. It points to the start of the data structure. And the data structure for the resource information is a tree. So in our example we will have a tree with two resources. Every leaf of the tree is one resource basically. And the path to it contains the meta information that is nice to know. So we will do close up into the resource tree itself soon. Also now we know that the section one contains the resource tree. So this section is a so-called resource section in our PE example. And there's a convention for section names. If it's a resource section it's usually .rsrc or .rdata. But well you can always violate conventions. These names are for humans so Melba usually doesn't care. Okay now the close up into our resource tree I actually tried to draw a tree. As you know trees in computer science are they grow from the top to the bottom. So the root of the tree is this. That's the root in the air. And then we have our basic structure here. Yes now on Windows there is the convention that every tree has three levels. And there's a meaning to every level. So level one would be the type of the resource. So let's say that's level one the root. Level two is the name of the resource. And level three is the language of the resource. So you might have different languages for if you have a text resource you might have different versions of that depending on the language. And yeah the type says well there there's a fixed number of types. But it will say whether it's an icon an image or version information or something else. So the name directory okay almost done. The name directory has a name identifier or a name pointer. So if it's a pointer it points to an address of a string a unicode string. The string can be anywhere in the file. And the parser needs to know how long that string is. So it will start with the length of the string. And then it will be the actual unicode string which is the name of the resource. So the language directory it has a language identifier. Every id stands for certain language. There are also some tables out there where you can look them up. But usually if you have a parser it will interpret this for you. So most of the time you don't need the tables. But more importantly the language directory has a data entry pointer. And the pointer points to a small data structure the so-called data entry which determines the size and the location of the actual raw data for the resource. So let's quickly complete this for the other resource as well. Now the actual raw data that's a green green one here. And the data entry says how large it is and where it starts in the file can be anywhere in the file. And yeah indicated by ones and zero. So that's the raw data right here. It depends what it is. So if it's an image it's an image. If it's text it's some text there can be anything. Could also be another part of executable file. Because you know some put another executable in there. And well same for the other resource. So we have our two resources here. And as I said the type directory has one entry for every type that exists for the resources. And in our case we have two entries. So there are two different types for each of the two resources. And let's fill this out by example on the right side. We have an icon. So we say the resource type is RT icon. And again there are some tables with the IDs and the corresponding type. And let's say that's a hedgehog icon we want to. Our name is hedgehog and it has eight characters. And here's the actual icon. So that's it already. I think you I hope you understood now how this works. And let's see you next time. Thanks for watching.